SFTPGo Allows Hackers to Bypass Folder Permissions

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

5.3

SFTPGo Allows Hackers to Bypass Folder Permissions

GHSA-x8qh-7475-c5mp CVE-2026-30914 GHSA-x8qh-7475-c5mp

Summary

Some versions of SFTPGo have a security flaw that lets an attacker access files they shouldn't by crafting a special file path. This could allow them to access sensitive data. To fix this, update to SFTPGo version 2.7.1.

What to do

Update github.com drakkan to version 2.7.1.
Update drakkan github.com/drakkan/sftpgo/v2 to version 2.7.1.

Affected software

Vendor	Product	Affected versions	Fix available
github.com	drakkan	<= 2.7.0	2.7.1
github.com	drakkan	<= 1.2.2	–
drakkan	github.com/drakkan/sftpgo/v2	<= 2.7.1	2.7.1
drakkan	github.com/drakkan/sftpgo	<= 1.2.2	–

Original title

SFTPGo Vulnerable to Path Traversal and Permission Bypass via Path Normalization Discrepancy

Original description

### Impact

In SFTPGo versions prior to 2.7.1, a path normalization discrepancy between the protocol handlers and the internal Virtual Filesystem routing can lead to an authorization bypass. An authenticated attacker can craft specific file paths to bypass folder-level permissions or escape the boundaries of a configured Virtual Folder.

### Patches

This issue has been addressed in SFTPGo version 2.7.1. The fix introduces strict edge-level path normalization, ensuring that all protocol inputs are fully sanitized and resolved to canonical POSIX paths before any routing or permission evaluations occur.

ghsa CVSS4.0 5.3

Vulnerability type

CWE-22 Path Traversal

Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026